Past NSA tech director: Healthcare 'prime target' for cybercriminals

'There are very few places where you can insert malware into a network that causes people to die. But a hospital is a prime example'
By Erin McCann
06:10 PM

Take it from someone who has spent 41 years of his career as a mathematician, cryptographer and technical director at the U.S. National Security Agency: Healthcare is hugely vulnerable to cybercrime. And this is a reality health organizations need to quickly come to terms with so they can better protect their data assets.

Richard "Dickie" George got his beginnings at the NSA back in the 1970s and worked there until his retirement in 2011. Now, George serves as senior cybersecurity advisor at Johns Hopkins University Physics Lab and has more than a few things to say on the topic of cybersecurity in healthcare. He'll be speaking more comprehensively on the topic in a keynote at the Healthcare IT News' Privacy & Security Forum in Chicago later this month.

When he looks back on his early days at the NSA, George describes it as a much more simpler target landscape back in the Cold War era. In the 70s, he says, there were only two real players: the U.S. and the Soviet Union. And there were clear-cut rules that both sides followed.

[See also: The Privacy & Security Forum kicks off this June 30.]

"We knew what the rules were, and we abided by those rules," he tells Healthcare IT News. "We knew what the Russians were going after. They knew what we were going after." They were going after strategic government information. It wasn't personal like it is today, he points out.

Nowadays, the target landscape takes an entirely different form. No longer is it just about nuclear weapons and "one-on-one, meet-in-a-bar espionage," says George. "In today's world, it's cyber." Gone are the days where the government is the sole target. "The field of targets has expanded from the government to private industry, private people, critical infrastructure."

"The rules have changed, and nobody today knows what the rules are because the game is filled with people who don't play by the rules."

What's more, in addition to the ever-expanding field of targets, in this world of cyberthreats, there's virtually no rulebook, adds George. In the '70s, "where I was target, and I knew I was a target, and I knew what the rules were and what I had to do to not be taken," he says. "The rules have changed, and nobody today knows what the rules are because the game is filled with people who don't play by the rules."

And when laptops and EMRs and patient portals are the reality, that interconnectedness is also one of the biggest vulnerabilities. And it carries with it some serious risk-management implications.

[See also: Report: Healthcare state of security a mixed bag.]

Take the six-hospital Johns Hopkins Health System, for instance. Consider its network: Physicians, students, foreign nationals, professors, researchers etc. With all of the hospitals connected, for every network action, "every person on that network," George continues, "is making a risk management decision without understanding the impact on those other members." They don't understand that they share the risk, he says, and "that's a huge problem."

If you look at the six-step threat/adversary model and consider capabilities and resources; intent and motivation; access and risk aversion, you may realize that "healthcare has a lot of things," adds George. For some threat actors, they may be after information on specific individuals. For others, they may want to use the data against certain individuals. And for terrorists, he continues, an electronic medical record might be an attractive target, as there's the possibility of causing deaths.

[See also: Healthcare's slack security costs $1.6B.]

George recalls the case of Jesse William McGraw, a contract employee at a medical center in Texas, who was sentenced back in 2011 for hacking into the hospital's computer systems and inserting malware into the network. McGraw, a night-shift security guard, was able to hack into 14 computers, including an HVAC unit that controlled the temperature and air in a surgery center and a nurses' station computer. According to federal officials, McGraw could have impacted the efficacy of temperature-sensitive drugs and supplies.

"There are very few places where you can insert malware into a network that causes people to die," said George. "But a hospital is a prime example."

So healthcare organizations, listen up: "Everybody in the country is a legitimate target because someone wants money, someone wants information, somebody wants to make money off the stock market, somebody wants to know what your business plans are," says George. "Everybody wants something, and you can get at it through the Internet, which you couldn't do 30 years ago."

Related Video: